Lo and behold, Lee Silverman once said: > For example, if someone gave you a cgi-bin script and asked you to tell > them if it was going to cause any security holes, what would you look for? Check for any use of the system() call, or an open() which allows user inputtable data. So if you're letting them select a filename, or finger, or anything similar, be paranoid. This can be avoided easily in perl with the open(BLAH, "-|") || exec 'command', 'arg1', 'arg2'; syntax, or in C by using your own fork/exec instead of just system'ing. With shell scripts, it applies to all commands and things like finger_info=`finger $username` . If you're going to use this syntax, you'd best sanitize the daylights out of the user accepted data. :) The other security concerns are in scripts/programs which are suid and rely upon environment variables.. it's crucial that you prevent a user from executing it on their own with their own environment variables. Perl is nice that way, in that it deems all environment variables "tainted" unless you sanitize them, but common sense is still pretty necessary. Other little things: Make sure your data structures can't be overrun by an incredibly large amount of data. Most of the time you'll just crash, but someone could get clever, I suppose. Ahh.. *shrugs* -Dave Andersen --- angio@aros.net system administration Blah blah, my opinions are my own, etc.